@@ -13927,6 +13927,21 @@ static struct bpf_test tests[] = {
.result = ACCEPT,
},
{
+ "reference tracking: defend against SSB exploitation",
+ .insns = {
+ BPF_MOV32_IMM(BPF_REG_2, 1),
+ /* stack[-1] = (integer) 1 */
+ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
+ /* stack[-1] = (pointer) context */
+ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
+ BPF_MOV32_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .infostr_unpriv = "patching in sanitization against SSB at 2",
+ .result_unpriv = ACCEPT,
+ .result = ACCEPT,
+ },
+ {
"calls: ctx read at start of subprog",
.insns = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
Test that the defence added by commit af86ca4e3088 "bpf: Prevent memory disambiguation attack" is actually being applied. Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> --- tools/testing/selftests/bpf/test_verifier.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)